Section 164.316(b)(1) of the final Security Rule states: (i)Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity, or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity or assessment. 2. Implementation specifications: (i) Time Limit (required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it was last in effect, whichever is later.
In the absence of your own company specific requirements for record retention, it would seem to me that using the HIPAA 6 year rule of thumb is reasonable. If we can agree that the purposes of audit documentation is to determine areas of risk for process improvement and show compliance with the regulation (and required audit processes, including frequency, are documented in organization policy and procedure), then you would always have a running trail of documentation that will prove compliance with the rules and your own company policy.
Remember, HIPAA complaints must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Office for Civil Rights for good cause shown. Many rules around record retention coincide with various statutes of limitations for litigation. Again, in my opinion, the 6 year rule, in the absence of organization or state law should be adequate.
Linda Hall, RN, BSN, CPHQ
Director, Quality and Compliance
McKesson Medication Management
Email: [EMAIL PROTECTED]
-----Original Message-----
From: Chris McLean [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 22, 2003 2:30 PM
To: WEDI SNIP Security Workgroup List
Subject: RE: Acceptable time-frames to keep Audit logs
I don't remember seeing anything specifically for audit logs, but I remember
seeing the 6 year retention mandate somewhere. I just can't place it right
now. maybe in the privacy side? I, to be on the safe side, would include
audit logs and any risk assessment reviews in the specified record retention
time frame. To me it makes prudent sense to keep the documentation .
Especially to prove compliance, let alone legal aspects, which I don't have
the expertise to dive into.
But this is just my humble opinion.....
Chris McLean
Network Coordinator
Greystone Health Care Management
(813) 635-9500
[EMAIL PROTECTED]
-----Original Message-----
From: KERBER, JEFF [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 22, 2003 2:15 PM
To: WEDI SNIP Security Workgroup List
Subject: RE: Acceptable time-frames to keep Audit logs
Where in the security rules do you see a 6 year mandate for audit logs?
-----Original Message-----
From: Price, Carolyn [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 22, 2003 12:39 PM
To: WEDI SNIP Security Workgroup List
Subject: RE: Acceptable time-frames to keep Audit logs
HIPAA mandates 6 years. However, state laws vary, and if your state law
requires a retention period that is longer than the HIPAA mandate, the state
law rules.
Carolyn Price
-----Original Message-----
From: Pat Cupo [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 22, 2003 10:25 AM
To: WEDI SNIP Security Workgroup List
Subject: Acceptable time-frames to keep Audit logs
We are currently developing policies & procedures for Audit & System
Change Controls. Does anyone have an idea as to how long these Audit
logs must be kept?
Patrick J. Cupo
Senior Systems Coordinator
Abington Memorial Hospital
(215) 481-5606
[EMAIL PROTECTED]
"We Provide Very Good Care"
****************** CONFIDENTIALITY NOTICE **********************
This e-mail contains LEGALLY PRIVILEGED AND CONFIDENTIAL INFORMATION
intended only for the use of the recipient named above. If you are not
the intended recipient, you are hereby notified that any dissemination or
copying of this e-mail is strictly prohibited. If you have received this
e-mail in error, please notify the transmitting hospital by telephone or
e-mail and delete the original e-mail received in error.
THIS INFORMATION HAS BEEN DISCLOSED TO YOU FROM RECORDS WHOSE
CONFIDENTIALITY IS PROTECTED BY STATE AND FEDERAL LAW. ANY FURTHER
DISCLOSURE, COPYING, DISTRIBUTION OR ACTION TAKEN IN RELIANCE ON THE
CONTENTS OF THESE DOCUMENTS WITHOUT THE PRIOR WRITTEN CONSENT OF THE
PERSON TO WHOM IT PERTAINS IS PROHIBITED. YOU ARE REQUIRED TO DESTROY
THE INFORMATION AFTER THE STATED NEED HAS BEEN FULFILLED.
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org
"This electronic message may contain information that is confidential and/or
legally privileged. It is intended only for the use of the individual(s)
and entity named as recipients in the message. If you are not an intended
recipient of the message, please notify the sender immediately and delete
the material from any computer. Do not deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org
**************************************************************
**************************************************************
This email and any attachments addressed from [EMAIL PROTECTED] is intended for the exclusive use of [EMAIL PROTECTED] The
information contained in this email may be proprietary, confidential, privileged, and exempt from disclosure under
applicable law. If the reader of this email is not [EMAIL PROTECTED] or an agent responsible for delivering the
message to the intended recipient, the reader is hereby put on notice that any use, dissemination, distribution, or
copying of this communication is strictly prohibited. If the reader has received this communication in error,
please immediately notify [EMAIL PROTECTED] by email and delete all copies of this email along with any attachments.
**************************************************************
**************************************************************
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
